[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Sun Sep 21 21:41:03 UTC 2014


 > Attack patterns are only "attack" if there is a vuln? Otherwise they 
are only character strings? Just sayin

 From what I am reading, Eoin, an attack pattern (per Mitre) is an 
ABSTRACT mechanism to describe how one would attack a vulnerable 
cyber-enabled system.

A vulnerability would be a weakness in a specific product or service.

This kind of makes sense to me. I've been reading a lot lately, and most 
folks mix these terms in various ways, hence my confusion. I get the 
impression that Mitre is doing this right, but I'm not 100% sure.

Aloha,
Jim


>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> Very interesting, Timur and Eoin. I might be reading this wrong, but 
>> it looks to me that SQL Injection per Mitre is an ....
>>
>> ... *attack pattern* http://capec.mitre.org/data/definitions/66.html
>> ... caused by the *weakness* of lack of neutralization of special 
>> characters http://cwe.mitre.org/data/definitions/89.html *[1]*
>> ... that *effects many products and services and makes them 
>> vulnerable* 
>> http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>
>> So per Mitre, SQL Injection would NOT be a vulnerability, that is 
>> product specific (CVE). SQL Injection per Mitre seems to be an attack 
>> pattern.
>>
>> Per Mitre: An "attack pattern" is an abstraction mechanism to assist 
>> in understanding how an attack against vulnerable cyber-enabled 
>> capabilities is executed.
>>
>> So I'm thinking that the "classic" OWASP Top Ten is really a mix of 
>> attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, 
>> a9).
>>
>> •A1 Injection
>> •A2 Broken Authentication and Session Management
>> •A3 Cross-Site Scripting (XSS)
>> •A4 Insecure Direct Object References
>> •A5 Security Misconfiguration
>> •A6 Sensitive Data Exposure
>> •A7 Missing Function Level Access Control
>> •A8 Cross-Site Request Forgery (CSRF)
>> •A9 Using Components with Known Vulnerabilities
>> •A10 Unvalidated Redirects and Forwards
>>
>> And just to make this more confusing, Mitre declares that SQL 
>> Injection is a attack pattern as described above, but considers sql 
>> injection through hibernate to be a weakness 
>> http://cwe.mitre.org/data/definitions/564.html which confuses the 
>> issue for me....
>>
>> Aloha,
>> Jim
>>
>> [1] This is not so accurate (debatable) but that is besides the 
>> point. :) Query Parametrization does not neutralize special 
>> characters, it pre-compiles the query into a query plan that cannot 
>> be modified at query execution time. :)
>>
>>
>>
>> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>> (vulnerability types, meta weaknesses)
>>>
>>> We may take the MITRE approach in order not to invent parallel 
>>> terminology.
>>>
>>> https://cwe.mitre.org <http://mitre.org> (weaknesses, vuln types, 
>>> cca 700 elements)
>>> https://cve.mitre.org <http://mitre.org>  (vulnerabilities and 
>>> exposures, thousands)
>>> https://capec.mitre.org <http://mitre.org> (attack patterns)
>>>
>>>
>>> The top 41 SANS "Most Dangerous Software Errors"
>>> https://cwe.mitre.org/top25/index.html 
>>> <http://mitre.org/top25/index.html>
>>> + 16
>>> https://cwe.mitre.org/top25/archive/2011/2011_ 
>>> <http://mitre.org/top25/archive/2011/2011_>onthecusp.html
>>>
>>>
>>> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org 
>>> <mailto:eoin.keary at owasp.org>> wrote:
>>>
>>>     Risk != vuln
>>>
>>>     Risk is defined as:
>>>     "(Exposure to) the possibility of loss, injury, or other adverse
>>>     or unwelcome circumstance; a chance or situation involving such
>>>     a possibility."
>>>
>>>     The result of a weakness being leveraged and unwelcome outcomes.
>>>
>>>
>>>
>>>     Eoin Keary
>>>     Owasp Global Board
>>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>
>>>
>>>     On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org
>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>     >> T10 lists does not accurately
>>>     > reflect the most dangerous "risks" or that it would be better
>>>     to name it
>>>     > differently?
>>>     >
>>>     > The commentary that I received was that the term "risk" did not
>>>     > actually reflect the items on the lists. Folks have told me it
>>>     should
>>>     > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>     >
>>>     > I'm not sure what the right answer is here...
>>>     >
>>>     > Aloha,
>>>     > --
>>>     > Jim Manico
>>>     > @Manicode
>>>     > (808) 652-3805
>>>     >
>>>     >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org
>>>     <mailto:tobias.gondrom at owasp.org>> wrote:
>>>     >>
>>>     >> T10 lists does not accurately
>>>     >> reflect the most dangerous "risks" or that it would be better
>>>     to name it
>>>     >> differently?
>>>     > _______________________________________________
>>>     > OWASP-Leaders mailing list
>>>     > OWASP-Leaders at lists.owasp.org
>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>     > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> Email us to enforce secure link with your mail servers (domain).
>>> This message may contain confidential information - you should 
>>> handle it accordingly.
>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő. 
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/8a9ccbbb/attachment.html>


More information about the OWASP-Leaders mailing list